Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Zlob related - cannot run any files .bat, .exe cmd etc.

slipperx

Posted 09 July 2008 - 04:08 AM

slipperx

Member

Member

21 posts

HiI have now been over a week trying to get my computer to run properly. The bottom of this post contains the latest log file. I am using a SOny Vaio laptop with Windows XP SP2 which became infected with a variant of the zlob virus. I used Trend Micro PCCillin to remove the virus and have deleted the files relating to the virus together with the restore points affected as reported by Trend Micor. I am not sure which variant it was as I have deleted the information in trying to get the machine running. I am not sure why the virus got past PCCIllin in the first place.

The issue is now that in a normal boot situation windows loads but no programme will load including explorer, cannot install anything, cannot access any of the management consoles or really do anything - each time I try I get an error saying I may not have permission to access the file. My login is as a computer administrator - I have rechecked that that has not changed and I managed to verify from within normall Windows. I also found out that sometimes during the boot procedure if I click immediately the icons appear then I can open certain programmes but a few seconds later the same programme will not open giving the permissions error again.

I assumed that the infection had somehow changed the permissions on my system so I booted into safe mode and ran Dial-a-fix reset permissions, reset registry associations etc. which completed OK saying only some components could not be found. I rebooted normally but the same symptoms existed. I figured that something must be loading during the boot process to refuse my access but in mnanaging to get into the computer management console one time during boot up I found that I am still listed in the Administrators group and a new account I set up with administrator rights also exhibited the same symptoms. So I figured maybe something was loading and unloading into the registry to disguise itself when you boot into safe mode somehow. I removed the HKLM run and HKCU run keys from the registry together with all the startup programs in D&S/... Startup folder for All Users and my own profile and rebooted - same problem - no access allowed. I reinstated these back again and still cannot acccess any programmes but now do not even seem to be able to get into anything during Windows startup anymore.

I can run Trend Micro in normal mode for some reason this does not seem to be prevented from loading but I am not sure why. Have run a scan with that several times and also using House call which does not produce any infections or problems. I cannot run the programmes listed in the 5 step process so am not sure what to do now. This all started from the zlob infection which came packaged in a bad video codec.

Please help if you can and thanks for your time reading this.Ian

I have Bart disk so have been able to restore the system to a previous point long before the virus infected the machine but that did not solve things.

*** Since posting this message and following logs I managed eventually (very eventually) to get a ComboFix to run and here is the logfile - immediately after running combofix the programs on the computer are accessible but after shutting down and restarting the computer the programs are again unavailable. Nothing will run - I cannot view text files, cannot access control panel items, cannot run cmd, cannot open any .bat, .exe and so on. The computer is unusable - any time any of the above programs are attempted to be opened I get a 'You may not have the appropriate permissions...' warning. I have again run repair permissions and repair associations from Dial a Fix in safe mode but to no avail. The first time after running these programs the icons take a very long time to appear on reboot - looks like maybe the virus hijack's the computer at startup and disables everything from running. For some reason about 1 time in 10 you can very quickly double click an icon immediately it appears and get it to run but the other 9 times it doesn;t matter how quick you are it just locks me out.P.S. Tried to install Recovery Console but cannot because virus refuses access - Anyway have Bart PE disk so can use that for most repair things. Log:ComboFix 08-07-09.4 - Ian 2008-07-10 6:41:07.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.477 [GMT -4:00]Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.

Advertisements

slipperx

Posted 09 July 2008 - 05:19 AM

slipperx

Member

Topic Starter

Member

21 posts

Since last edit managed to get Malewarebytes scan to run - found 11 zlob infections in url links. I removed and deleted them. Now scanning second time then will reboot and repair file associations again and reboot normally and will advise what happened. Thanks for reading and hope this log helps someone else.

Since last edit managed to get a DSS scan done and log is posted below the Hijack This log below thanks.

Since posting this I have noticed that if I reboot into normal mode have been in normal mode the previous session, the computer takes a long time to display the desktop icons and it doesn't matter how quick you are it is impossible to start anything. If I go into safe mode and run Dial-a-fix repair permissions and then reboot into normal mode the icons appear much quicker and it is just possible to get in quick enough to run a programme. Therefore I am now trying to get the Anti-spy software installed and will add the logs below here as soon as I manage to get that done. Thanks.

MAnaged to get Hijack This log during startup after multiple attempts - nothing else can be opened after about 10 seconds into windows startup so have to get in quick!

kahdah

Posted 12 July 2008 - 05:59 AM

slipperx

Posted 13 July 2008 - 03:11 AM

slipperx

Member

Topic Starter

Member

21 posts

Hi
Thanks for the response. I am having a terrible time getting to run dss.exe. I have rebooted the computer numberous times already, restored using safe mode and also tried rebuilding the permissions and resetting teh file associations again but whatever I do I cannot run any programs at all and cannot seem to get to dss.exe to run it before Windows is hijacked. All I get is an error saying 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item.' I am logging is as administrator and I can run anything from the Adminsitrator or my user account I use for normal log in if I go into safe mode but running dss.exe from safe mode isn't going to help you is it?

Event Record #/Type30554 / ErrorEvent Submitted/Written: 07/13/2008 08:26:22 AMEvent ID/Source: 7001 / Service Control ManagerEvent Description:The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: %%31

Event Record #/Type30553 / ErrorEvent Submitted/Written: 07/13/2008 08:26:22 AMEvent ID/Source: 7001 / Service Control ManagerEvent Description:The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31

Event Record #/Type30552 / ErrorEvent Submitted/Written: 07/13/2008 08:26:22 AMEvent ID/Source: 7001 / Service Control ManagerEvent Description:The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31

Event Record #/Type30551 / ErrorEvent Submitted/Written: 07/13/2008 08:26:22 AMEvent ID/Source: 7001 / Service Control ManagerEvent Description:The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31

-- End of Deckard's System Scanner: finished at 2008-07-13 08:29:08 ------------

kahdah

Posted 13 July 2008 - 07:22 AM

kahdah

GeekU Teacher

Retired Staff

15,822 posts

Please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /daft then hit ok.Place a check next to everything and click on Fix.Then scan again and it should say all associations ok.======================================================Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\788877 /a h > files.txtnotepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here.

kahdah

Posted 14 July 2008 - 04:05 AM

kahdah

GeekU Teacher

Retired Staff

15,822 posts

No it's not malware it is part of Combofix or Smitfraud fix or other tools that we use here.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.==============================================Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer

This will start the program and scan your system.

The scan will take a while, so be patient and let it run.

Once the scan is complete, click on View scan report

Now, click on the Save Report as button.

Save the file to your desktop.

Copy and paste that information in your next post.

0

Advertisements

slipperx

Posted 14 July 2008 - 07:12 AM

slipperx

Member

Topic Starter

Member

21 posts

Hi
I tried that. The Cleaner worked fine and removed some files (I thought I'd already done that once but anyway on the second run through it said no files found so must be clean). The kapersky scan I tried to do before but was not able to get it to run because the problem on the computer will not allow you to open explorer so I can;t get on the internet. In safe mode I can get on teh internet but the scanner requires Java version 1.5 (which I thought I had but maybe not) and I cannot do the install of that in safe mode as it gives me an error saying the Administrator has set policies restricting the installation - which I guess is just to do with safe mode and not to do with the permissions restrictions which the virus is imposing.

slipperx

Posted 16 July 2008 - 04:52 AM

slipperx

Member

Topic Starter

Member

21 posts

HiWell I did as you suggested and the log is posted below. The thing is that I am 99% certain that the problems are to do with a virus or malware or some other evil thing lurking in the computer and that it came along with the Zlob virus because as soon as I got the virus I cleaned it and on next reboot these issues started to appear. Now if I log in in safe mode then my profile loads fine and I can do pretty much anything, run any program, get on the internet and so on. As soon as I boot normally any program clicked results in the "You do not have access ....maybe you do not have permissions.." error warning pops up and the load operatin fails. Now if the profile loads fine in safe mode then something must be being loaded in normal mode. It appears that eiher the registry is altered during startup allowing the permissions to be blocked and then whatever process it is removes itself so you cannot see it in the safe mode scans. As I say before I could sometimes get one or two programs to run if I immediately clicked on the icons while the startup process was going on but even this small benefit has now disappeared. I am not a super technical computer wizard or anything but I am sure it is an issue resulting from the infection but I do not know what else to try.I had to run dss.exein safe mode again as normal mode just refused me access yet allows access in safe mode using the same profile. One other strange thing is that the Trend Micro control panel and facilities are all available in normal boot - that is not something that gets screwed up - maybe because it is loaded during the startup proces. I also nopticed that when I did manage to get a couple of the scans and stuff done earlier when I jumped in really quick (which I don;t seem to be able to do anymore) that program could be run with no problems but other programs would be locked out a very short time after - so it seems to me that some process is getting startup during logon that blocks access to programs but sometimes you could get in before that process had completed and then you could use the program.

Deckard's System Scanner v20071014.68Run by Ian on 2008-07-16 06:30:44Computer is in Safe Mode with Networking.--------------------------------------------------------------------------------